网易云音乐PC客户端加密API逆向解析教学文档<\/h1>

1. 前言<\/h2>
本文详细解析网易云音乐PC客户端(版本2.3.0.196231)的API接口加密机制，重点分析params参数的生成方式，用于模拟客户端与服务器的交互。<\/p>

2. 初步分析<\/h2>

2.1 文件结构分析<\/h3>

动态链接库与可执行文件<\/strong>：<\/p>

libcurl.dll<\/code>：仅用于程序启动时的少量网络交互<\/li>
libcef.dll<\/code>：基于C\/C++的Web browser控件，主交互界面<\/li>
cloudmusic.dll<\/code>：核心功能模块<\/li> <\/ul> <\/li>
资源文件<\/strong>：<\/p> package\/<\/code>目录下的.ntpk<\/code>文件：加密的ZIP格式资源文件<\/li> orpheus.ntpk<\/code>：包含核心JS文件(core.js)，但被加密<\/li> <\/ul> <\/li> <\/ul> 3. 逆向过程<\/h2> 3.1 获取加密ZIP密码<\/h3> 使用调试器(如x64dbg)断点在CreateFileW<\/code>系统API<\/li> 跟踪文件加载过程，定位解压操作<\/li> 通过内存分析找到解压密码(具体密码逆向过程略)<\/li> <\/ol> 3.2 修改资源文件<\/h3> 由于资源文件有数字签名保护，直接修改会导致程序无法启动，需以下步骤：<\/p> 分析签名机制<\/strong>：<\/p> 使用Windows CSP(加密服务提供程序)库<\/li> SHA1签名算法<\/li> 文件头结构： 4字节"NTPK"标识<\/li> 4字节文件长度<\/li> 256字节校验数据<\/li> 实际ZIP内容<\/li> <\/ul> <\/li> <\/ul> <\/li> 绕过签名验证<\/strong>：<\/p> 修改cloudmusic.dll<\/code>中的公钥<\/li> 或修改验证逻辑的跳转指令<\/li> <\/ul> <\/li> <\/ol> 3.3 启用远程调试<\/h3> 修改cloudmusic.dll<\/code>中的CEF结构体，开启调试端口(9222)<\/li> 补充devtools资源文件<\/li> 通过http:\/\/127.0.0.1:9222<\/code>访问DevTools<\/li> <\/ol> 4. 加密算法分析<\/h2> 4.1 params生成流程<\/h3> 输入参数：<\/p> url<\/code>：请求路径<\/li> data<\/code>：提交的JSON数据<\/li> <\/ul> <\/li> 计算MD5：<\/p> md5_str =<\/span> md5("nobody"<\/span> +<\/span> url +<\/span> "use"<\/span> +<\/span> data +<\/span> "md5forencrypt"<\/span>) <\/span><\/span><\/code><\/pre><\/li> 二次拼接：<\/p> to_encrypt =<\/span> url +<\/span> "-36cd479b6b5-"<\/span> +<\/span> data +<\/span> "-36cd479b6b5-"<\/span> +<\/span> md5_str <\/span><\/span><\/code><\/pre><\/li> 填充对齐：<\/p> 按0x10字节对齐<\/li> 缺少部分用缺少的位数填充(如缺3字节则填充0x03)<\/li> <\/ul> <\/li> 私有加密算法：<\/p> 每次处理16字节数据<\/li> 使用动态生成的辅助加密数据(固定)<\/li> 包含大量异或和位移操作<\/li> <\/ul> <\/li> <\/ol> 4.2 加密算法伪代码<\/h3> void<\/span> encrypt_block<\/span>(uint8_t<\/span> *<\/span>block, uint8_t<\/span> *<\/span>key) { <\/span><\/span> uint32_t<\/span> a =<\/span> *<\/span>(uint32_t<\/span>*<\/span>)block; <\/span><\/span> uint32_t<\/span> b =<\/span> *<\/span>(uint32_t<\/span>*<\/span>)(block+<\/span>4<\/span>); <\/span><\/span> uint32_t<\/span> c =<\/span> *<\/span>(uint32_t<\/span>*<\/span>)(block+<\/span>8<\/span>); <\/span><\/span> uint32_t<\/span> d =<\/span> *<\/span>(uint32_t<\/span>*<\/span>)(block+<\/span>12<\/span>); <\/span><\/span> <\/span><\/span> for<\/span>(int<\/span> i =<\/span> 0<\/span>; i <<\/span> 16<\/span>; i++<\/span>) { <\/span><\/span> uint32_t<\/span> tmp =<\/span> a; <\/span><\/span> a =<\/span> b ^<\/span> (key[i*<\/span>4<\/span>] |<\/span> (key[i*<\/span>4<\/span>+<\/span>1<\/span>]<<<\/span>8<\/span>) |<\/span> (key[i*<\/span>4<\/span>+<\/span>2<\/span>]<<<\/span>16<\/span>) |<\/span> (key[i*<\/span>4<\/span>+<\/span>3<\/span>]<<<\/span>24<\/span>)); <\/span><\/span> b =<\/span> c; <\/span><\/span> c =<\/span> d; <\/span><\/span> d =<\/span> tmp; <\/span><\/span> } <\/span><\/span> <\/span><\/span> *<\/span>(uint32_t<\/span>*<\/span>)block =<\/span> a; <\/span><\/span> *<\/span>(uint32_t<\/span>*<\/span>)(block+<\/span>4<\/span>) =<\/span> b; <\/span><\/span> *<\/span>(uint32_t<\/span>*<\/span>)(block+<\/span>8<\/span>) =<\/span> c; <\/span><\/span> *<\/span>(uint32_t<\/span>*<\/span>)(block+<\/span>12<\/span>) =<\/span> d; <\/span><\/span>} <\/span><\/span><\/code><\/pre>5. 实现模拟请求<\/h2> 5.1 请求示例<\/h3> import<\/span> hashlib <\/span><\/span>import<\/span> json <\/span><\/span> <\/span><\/span>def<\/span> generate_params<\/span>(url, data): <\/span><\/span> # 转换为JSON字符串并去除空格<\/span> <\/span><\/span> data_str =<\/span> json.<\/span>dumps(data, separators=<\/span>(','<\/span>, ':'<\/span>)) <\/span><\/span> <\/span><\/span> # 计算MD5<\/span> <\/span><\/span> md5_str =<\/span> hashlib.<\/span>md5( <\/span><\/span> ("nobody"<\/span> +<\/span> url +<\/span> "use"<\/span> +<\/span> data_str +<\/span> "md5forencrypt"<\/span>).<\/span>encode() <\/span><\/span> ).<\/span>hexdigest() <\/span><\/span> <\/span><\/span> # 构造待加密字符串<\/span> <\/span><\/span> to_encrypt =<\/span> f<\/span>"<\/span>{<\/span>url}<\/span>-36cd479b6b5-<\/span>{<\/span>data_str}<\/span>-36cd479b6b5-<\/span>{<\/span>md5_str}<\/span>"<\/span> <\/span><\/span> <\/span><\/span> # 填充对齐<\/span> <\/span><\/span> pad_len =<\/span> 16<\/span> -<\/span> (len(to_encrypt) %<\/span> 16<\/span>) <\/span><\/span> to_encrypt +=<\/span> chr(pad_len) *<\/span> pad_len <\/span><\/span> <\/span><\/span> # 加密处理(此处简化，实际需实现完整算法)<\/span> <\/span><\/span> encrypted =<\/span> custom_encrypt(to_encrypt.<\/span>encode()) <\/span><\/span> <\/span><\/span> # 转换为大写十六进制字符串<\/span> <\/span><\/span> params =<\/span> ''<\/span>.<\/span>join(f<\/span>"<\/span>{<\/span>b:<\/span>02X<\/span>}<\/span>"<\/span> for<\/span> b in<\/span> encrypted) <\/span><\/span> return<\/span> params <\/span><\/span> <\/span><\/span># 示例请求<\/span> <\/span><\/span>url =<\/span> "\/api\/song\/enhance\/player\/url"<\/span> <\/span><\/span>data =<\/span> { <\/span><\/span> "ids"<\/span>: "[123456]"<\/span>, <\/span><\/span> "br"<\/span>: 320000<\/span>, <\/span><\/span> "csrf_token"<\/span>: ""<\/span> <\/span><\/span>} <\/span><\/span>params =<\/span> generate_params(url, data) <\/span><\/span><\/code><\/pre>5.2 响应解密<\/h3> 部分API响应也是加密的，可通过设置e_r<\/code>参数控制：<\/p> e_r=0<\/code>：返回明文<\/li> e_r=1<\/code>：返回加密数据(需解密)<\/li> <\/ul> 6. 总结<\/h2> 网易云音乐PC客户端使用多层保护：<\/p> 资源文件加密压缩<\/li> 数字签名验证<\/li> 自定义加密算法<\/li> <\/ul> <\/li> 核心加密流程：<\/p> 基于MD5和自定义加密算法<\/li> 需要处理对齐填充<\/li> 使用固定密钥和辅助数据<\/li> <\/ul> <\/li> 逆向技巧：<\/p> 通过内存分析定位关键代码<\/li> 利用CEF调试接口<\/li> 修改DLL绕过保护机制<\/li> <\/ul> <\/li> <\/ol> 7. 扩展思考<\/h2> 加密算法的可逆性分析<\/li> 不同版本间的算法差异<\/li> 移动端与PC端加密机制对比<\/li> 更高效的逆向分析方法<\/li> <\/ol> 8. 注意事项<\/h2> 本文仅用于学习研究目的<\/li> 实际实现需考虑不同版本的差异<\/li> 网易云音乐可能随时更新加密机制<\/li> 商业使用需获得官方授权<\/li> <\/ol> 附录：关键函数偏移(基于2.3.0.196231版本)<\/h2> 公钥位置：cloudmusic.dll + 0x7C3438<\/code><\/li> 调试端口设置：cloudmusic.dll + 0x14EED<\/code><\/li> 加密函数入口：cloudmusic.dll + 0x123456<\/code> (示例，实际需分析)<\/li> <\/ul>

网易云音乐PC客户端加密API逆向解析教学文档<\/h1>

1. 前言<\/h2> 本文详细解析网易云音乐PC客户端(版本2.3.0.196231)的API接口加密机制，重点分析params参数的生成方式，用于模拟客户端与服务器的交互。<\/p>

2. 初步分析<\/h2>

3. 逆向过程<\/h2>

4. 加密算法分析<\/h2>

5. 实现模拟请求<\/h2>

附录：关键函数偏移(基于2.3.0.196231版本)<\/h2> 公钥位置：cloudmusic.dll + 0x7C3438<\/code><\/li> 调试端口设置：cloudmusic.dll + 0x14EED<\/code><\/li> 加密函数入口：cloudmusic.dll + 0x123456<\/code> (示例，实际需分析)<\/li> <\/ul>

1. 前言<\/h2>
本文详细解析网易云音乐PC客户端(版本2.3.0.196231)的API接口加密机制，重点分析params参数的生成方式，用于模拟客户端与服务器的交互。<\/p>

附录：关键函数偏移(基于2.3.0.196231版本)<\/h2>

公钥位置：`cloudmusic.dll + 0x7C3438<\/code><\/li>`
`调试端口设置：cloudmusic.dll + 0x14EED<\/code><\/li>`
`加密函数入口：cloudmusic.dll + 0x123456<\/code> (示例，实际需分析)<\/li> <\/ul>`